[DNSOP] Re: [Ext] Dnsdir last call review of draft-ietf-dnsop-rfc8109bis-05
Paul Hoffman <paul.hoffman@icann.org> Tue, 23 July 2024 21:45 UTC
Return-Path: <paul.hoffman@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9932C169437; Tue, 23 Jul 2024 14:45:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rF9vgv5ee4Cj; Tue, 23 Jul 2024 14:45:04 -0700 (PDT)
Received: from ppa2.lax.icann.org (ppa2.lax.icann.org [192.0.33.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B5F7C14F5F8; Tue, 23 Jul 2024 14:45:04 -0700 (PDT)
Received: from MBX112-E2-CO-1.pexch112.icann.org (out.mail.icann.org [64.78.33.7]) by ppa2.lax.icann.org (8.18.1.2/8.18.1.2) with ESMTPS id 46NLj3ZC007925 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 23 Jul 2024 21:45:03 GMT
Received: from MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) by MBX112-W2-CO-2.pexch112.icann.org (10.226.41.130) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.34; Tue, 23 Jul 2024 14:45:02 -0700
Received: from MBX112-W2-CO-1.pexch112.icann.org ([169.254.44.235]) by MBX112-W2-CO-1.pexch112.icann.org ([169.254.44.235]) with mapi id 15.02.1258.034; Tue, 23 Jul 2024 14:45:02 -0700
From: Paul Hoffman <paul.hoffman@icann.org>
To: Di Ma <madi@juicybun.cn>
Thread-Topic: [Ext] Dnsdir last call review of draft-ietf-dnsop-rfc8109bis-05
Thread-Index: AQHa106/NBQRfU4zp0y3DSPFC06E5LIFWd6A
Date: Tue, 23 Jul 2024 21:45:02 +0000
Message-ID: <22E790EA-78E4-475F-B1E2-D23C1E46D0AA@icann.org>
References: <172111361280.73300.11259378316735467523@dt-datatracker-6fbcf4599b-975km>
In-Reply-To: <172111361280.73300.11259378316735467523@dt-datatracker-6fbcf4599b-975km>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.0.32.234]
x-source-routing-agent: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <372CB062EE9DB549A27ACBD6FC669AE5@pexch112.icann.org>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16 definitions=2024-07-23_13,2024-07-23_02,2024-05-17_01
Message-ID-Hash: 62STUIEIYVETW74X34YLCE5GCSXJIRRU
X-Message-ID-Hash: 62STUIEIYVETW74X34YLCE5GCSXJIRRU
X-MailFrom: paul.hoffman@icann.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "dnsdir@ietf.org" <dnsdir@ietf.org>, dnsop <dnsop@ietf.org>, "draft-ietf-dnsop-rfc8109bis.all@ietf.org" <draft-ietf-dnsop-rfc8109bis.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: [Ext] Dnsdir last call review of draft-ietf-dnsop-rfc8109bis-05
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/F9Jvkm_FMDs86DuzCWgkIVspfMg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>
On Jul 16, 2024, at 00:06, Di Ma via Datatracker <noreply@ietf.org> wrote: > > Reviewer: Di Ma > Review result: Ready with Issues > > This version adds more discussions about DNSSEC to priming exchange, which I > think need clearer statements. > > In this document, the authors say “With such resolvers, an attacker that > controls a rogue root server effectively controls the entire domain name space > and can view all queries and alter all unsigned data undetected.” > > However, this is not true when a DNSSEC-aware resolver has been configured with > one or more Trust Anchors from some TLDs. In such case, it is not safe to say > "an attacker that controls a rogue root server effectively controls the entire > domain name space". Thank you for your review. Your addition is technically accurate, but that configuration is not known to be common. Further, your note would apply to any level in the DNS hierarchy, and describing it would be difficult in a document that is about priming the root. If there is any research that indicates widespread use of such TLD-or-below trust anchors, that would be really interesting to hear about. --Paul Hoffman
- [DNSOP] Dnsdir last call review of draft-ietf-dns… Di Ma via Datatracker
- [DNSOP] Re: [Ext] Dnsdir last call review of draf… Paul Hoffman